How much mobile fraud goes under your Radar?

Transcription

1 How much mobile fraud goes under your Radar? John Hurley, Chief Product Manager Executive Summary Mobile Operators are involved in a constant cat-and-mouse struggle with fraudsters who continually alter attack points and tactics in their efforts to make a quick (and dishonest) buck. However, as new fraud channels evolve and detection methods are developed, the old ones are rarely abandoned. Fraudsters will apply them to different networks or return to tried and tested fraud. This is especially so if they think an operator has dropped their guard or complicit partners can undermine detection.

2 Introduction Mobile Operators are involved in a constant cat-andmouse struggle with fraudsters who continually alter attack points and tactics in their efforts to make a quick (and dishonest) buck. However, as new fraud channels evolve and detection methods are developed, the old ones are rarely abandoned. Fraudsters will apply them to different networks or return to tried and tested fraud. This is especially so if they think an operator has dropped their guard or complicit partners can undermine detection. Most fraudsters and consequently fraud departments, focus on high-margin services where it is easiest to quickly run up large bills with relatively little traffic. However, more and more fraudsters are happy to keep under the radar by generating massive amounts of traffic over channels and services (such as SMS) for which the retail charges are very low. Fighting a rear-guard action, with limited staff, MNOs struggle to detect such discreet fraud before the amounts lost have become truly significant. The more fraud detection an operator can automate the better as this frees up staff to concentrate on finding the latest frauds and perpetrators. Most fraud detection relies on near-real time analysis of Event Data Records (EDRs) gathered from many systems of the network with alarms configured to highlight behavioral patterns indicative of fraudulent activity. Well understood, automated detection procedures can be allocated to staff outside the local fraud department, for example to a group-wide team or even to managed service providers which can provide further cost savings. SmartGuard is Jinny Software s solution for security and protection across mobile messaging and calling services. The solution supports all tried and tested automated detection procedures for messaging fraud prevention and detection. It also supports mechanisms enabling it to pro-actively identify traffic patterns indicative of fraud or abuse and block traffic temporarily or permanently. The solution includes an intelligent engine that learns and identifies the characteristics of Fraudulent or Spam messages. This facilitates the detection and blocking of new threats from the moment the system is installed. SmartGuard for messaging is an ideal solution for a mobile operator or group to detect and prevent attempted fraud on their messaging services. Attempts to defraud MNOs of revenue, once exposed, are usually pretty clearcut. Other abuses such as spam, bullying and harassment can be more subjective and difficult to judge. By empowering subscribers to manage the screening of their own inbound calls and messages, operators can ensure their subscribers are satisfied with their protection without themselves applying excessive control. With the addition of our other proxies the SmartGuard solution can be extended to support MMS filtering and Call filtering, personalisation and parental control. Thus expanding the breath of protection that can be supplied within the network. International Revenue Share is one of the top targets for fraudsters and roaming scenarios are particularly vulnerable. Delays in the receipt and processing of EDRs for roamers provides opportunity for fraud to progress for longer period of time before it can be detected. Because of the submission, delivery and detection mechanisms in place for SMS, nodes in the home network can still be included in the path of outbound roamers messages. This means that fraud detection can be applied in real time and forms an early-warning system for roaming fraud and for low-margin/highvolume schemes.

3 Mobile Fraud Detection: The Hundred Years War II As with any business operating a per-usage charging model, mobile telecommunications is subject to fraud. Almost since its inception, the wireless telecommunications industry has been embroiled in a constant battle to detect and frustrate the attempts of those who set out to: use the network s services free of charge or; artificially inflate service usage to boost their own profits The fact that customers can use services without physically connecting through wires or pipes and can move around and between countries exposes the business to particular challenges and risks. Subscription fraud is a major revenue leakage in markets with high rates of post-paid customers, as fraudsters provide fake or stolen identity papers to take out a subscription for which they never intend to pay. There is a thriving black market for SIM cards that are stolen with thousands of phones every day. These find there way to SIM Box fraudsters who use whatever credit they can to generate call or message traffic before the operator de-activates the SIM. Post-paid accounts are also the target of SIM hijacking, which is equivalent to SIM theft but more malicious because the true subscriber is unaware of it. This is even more harmful as a vector for other types of fraud. This is a never-ending war with battles fought over each individual SIM. As one is detected and blocked, it is replaced by another and the cycle starts again. Fraud detection and prevention is a major investment for operators and the more procedures that can be automated, the more the overheads of fraud management can be controlled. Note: Compared with fraud the threat from spam is less clear for most mobile operators. Unless there is specific regulation to address spam, many operators may not be as concerned about it. As beauty is in the eye of the beholder, spam is in the eye of its recipient. What one person considers a top tip, another may consider an intrusive invasion of privacy. Unless fraudulent delivery techniques are used, operators may derive a large revenue stream from the delivery of bulk messages. However, operators who expose subscribers freely to spam, may in the long term, devalue their reputations in the marketplace. Operators who implemented proper SPAM management systems typically increased their revenue from wholesale messaging in addition to building trust with their subscribers. Due to less stringent ID validation on prepaid accounts, prepaid SIMs are also attractive to fraudsters who may use innocent looking credit mule accounts to keep the SIMs used for fraud or spam sufficiently topped up. As fraudsters continually alter attack points and tactics in their efforts to make a quick (and dishonest) buck, operators must try to keep pace devising procedures and processes that prevent, delay and detect fraudulent practises. However, as new fraud channels evolve, the old ones are rarely abandoned. As operators in one market develop detection methods fraudsters simply target other networks. If fraudsters think an operator has dropped their guard or complicit partners can undermine detection, they happily return to tried and tested methods or variants that exploit loopholes.

4 Top Targets of Mobile Fraudsters Fraud is typically classified in 2 ways based on the following criteria: The type of revenue exploited (eg. payment fraud or revenue share fraud); The mechanism by which the fraud is perpetrated (eg. subscription fraud, traffic inflation or PBX hacking). There are of coarse many variants and combinations of the above. These all involve mechanisms that either: Enable subscribers to use the services of a network without paying; Enable businesses sharing revenue with Mobile Operators to artificially inflate their traffic and resulting revenues. Payment Fraud Payment fraud occurs when a subscriber of a mobile network evades payment for their use of network services. The mechanisms that enable this can include: Phone/SIM theft: Using services on a stolen phone and/or SIM without the owner s permission Subscription Fraud: Applying for a post-pay contract using fake/ stolen ID with the intention not to pay SIM Hijacking: Use of social engineering to transfer subscriber s MSISDN to a new SIM for unauthorized use Prepaid Fraud: Use of stolen recharge vouchers, stolen credit cards or hacking prepaid top-up Note: These types of fraud can only be prevented by ensuring that employees of the mobile operator and its agents follow strict guidelines while signing up subscribers and that subscribers vigilantly protect their phones and identity documents. Revenue Share Fraud In the complex eco-system that has grown around mobile communications, operators can have contractual relationships with hundreds of parties based on a revenue-sharing business model. The assumption is that operators can derive revenue by charging their registered subscribers for services and then share a proportion with various parties who enable the services used. Operators typically have revenue-share agreements with Value Added Service Providers, Premium Service Providers, interconnected operators, wholesale trunk providers, SMS hubbing providers, and roaming partners. In some scenarios, particularly when traffic crosses national borders, such relationships can be open to exploitation especially if the operator has no way of controlling which or even how many partners are used in routing their calls and messages. Arbitrage or Fraud? Arbitrage is widely practised in the international wholesale market for routing calls and SMS. Hundreds of businesses exist purely to take advantage of price differentials for using different routes to terminate calls and messages. Exploiting such differences in order to route genuine calls and messages to their destinations with the required quality of service is a perfectly legal activity. However, artificially generating traffic in order to inflate the profits of arbitrage is fraud. It is a thin line, across which many are tempted.

5 Premium Service Fraud This type of fraud involves service providers who establish revenue-share contracts for Premium Rate Short Codes or numbers with the mobile operator and then use fraudulent means of driving SMS, MMS or voice calls to the numbers. Various mechanisms can be used to generate the traffic: SIM Boxes of stolen or prepaid SIMs making calls or sending SMS & MMS; Open SMSC on another network;hacked PBX or VoIP soft switch; Smartphone malware sending SMS or MMS without the owner s knowledge; Messages routed to premium services using unapproved wholesale routes; Sending premium traffic to subscribers who have not requested the service. Although the fraudster s risk of detection is higher in attempting such fraud in the home country, the rewards can be great, especially if the traffic amounts and revenues are not dramatically high. In the long term a steady trickle of inflated traffic can be more lucrative than a sudden flood conducted over one weekend. International Revenue-Share Fraud (IRSF) This is probably the most insidious form of mobile fraud as the international element introduces many more parties to the transaction and removes the mobile operator s end-to-end view of services. Although most operators fraud systems work with near-real time event records, obtaining all relevant EDRs can be delayed by several hours in cases of international fraud. This means IRSF is more costly than domestic fraud and can progress undetected for longer. There are many different variants of IRSF involving different combinations of fraudulent parties. The typical case involves a fraudster leasing an international revenue share number from one of the many nefarious providers of such numbers. These numbers may appear to be on the numbering plan of a particular country but are owned by the service provider who routes calls and messages towards them according to the requirements of their client (fraudster). The fraudster then uses one of many possible ways to have calls terminate on their revenue share number. IRSF can also include complicit foreign operators or wholesale operators who ensure that messages or calls originating or transiting their networks do not follow the standard routes used for the destination number range. The inflated wholesale revenue is then shared between the complicit parties. Depending on which parties are involved in the fraud, various mechanisms can be used to generate the traffic: SIM Boxes containing stolen or prepaid SIMs making calls or sending SMS and MMS from a roaming location (Smartphone SIMs can support the initiation of multiple simultaneous calls); Stolen or hijacked SIMs use an open SMSC on a foreign network; Hacked PBX or VoIP soft switch; Smartphone malware sending SMS or MMS without the owner s knowledge; Fraudsters can target dormant voic boxes with calls and exploit dial-out vulnerabilities to call international revenue share numbers; Routing SMS or MMS traffic to international revenue share numbers via unapproved routes. Social engineering techniques can also be used to dupe bona fide subscribers into calling or texting IRSF numbers. Wangiri fraud uses missed call notifications to trick subscribers into calling the numbers ( Wangiri being the Japanese term for one ring which was all that the original practitionersallowed before dropping the call. Nowadays, there may not even be one!) Upon seeing the missed call, unsuspecting customers typically call back to see who was calling them and fall foul to the scam. The fraudsters may even use a number with an international prefix that can be confused with a local one in the victim s country. Thus recipients may not even recognize that it is an international number they are calling. In the case of calling fraud, terminating the call at an IVR, Voic or ring-back tone system, can help prolong call-time thus maximizing the revenue share. Upon connection of the call the service may play audio similar to the standard ring tone. The calling party is being charged for the call even though they may still think the call has not yet connected.

6 Roaming Fraud Roaming fraud specifically sets out to exploit the agreements between mobile operators which allow their subscribers to attach to each other s network and initiate or receive communications. As these agreements are also based on revenue sharing, they are attractive to fraudsters. Another attraction is the fact that visited networks must allow essentially unknown subscribers to use their services. Most operators have procedures to protect themselves from roaming fraud: Insisting that post-pay subscribers establish a healthy payment history before allowing them to roam abroad; Blocking prepaid roamers or using the CAMEL protocol for real-time queries to the home IN of in-roamers. Variants of Roaming Fraud Roaming fraud can take various guises again depending on the parties and purposes involved; Enabler for IRSF: Quite often SIM cards of one network are transported abroad to conduct traffic inflation simply because it is more difficult to detect Inflation of roaming and termination fees: If a wholesale or mobile operator is complicit in the fraud, they may benefit from the roaming, transit or termination fees accruing from the traffic Messaging Fraud Messaging Fraud is an area that may not garner as much focus but is still a large issue for many mobile operators. It generally exploits the agreements and trust between mobile operators who have interconnect and roaming agreements in place. The fraudsters can impose great cost on operators as they seek to deliver SMS or MMS through the wireless networks of licensed MNOs, without paying for the privilege or exposing their true identities. The major forms of messaging fraud include: Spoofing the identity of roaming subscribers on an unprotected SMSC or MMSC in order to send spam or smishing messages to another network; Faking the address of a foreign SMSC in order to exploit AA.19, SMS inter-working agreements between operators; Abusing message allocations given to subscribers in order to resell send bulk messaging to subscribers on 3rd party networks. Delivering premium or wholesale SMS to subscribers across unauthorized grey routes. ARP Risks The so-called EU Roaming Regulation III, which comes into effect July 2014, allows for subscribers who register with an Alternative Roaming Provider (ARP) to pay that ARP for services used while roaming within the EU. While the retail costs of such usage is charged by the ARP, the liability for wholesale costs of routing such calls and messages is less clear (and may even go outside the EU.) MNOs must carefully consider all such costs in their contractual agreements with ARPs.

7 How Fraud Goes Under the Radar Mobile operators face a number of challenges in their war against fraud. Retrospective analysis, limited fraud-detection resources, together with the delays and confusion introduced by international fraud all work in the fraudsters favour. Fraud Detection after the Event Most fraud detection relies on analysis of Event Data Records (EDRs) gathered from many systems of the network with alarms configured to highlight behaviour patterns indicative of fraudulent activity. Indeed Near Real-Time Roaming Data Exchange (NRTRDE) is the mobile industry s bulwark against most types of IRSF and roaming fraud. Although operators are committed to gathering EDRs in near real time, the FMS (Fraud Management System) still only gets to analyse them after the event. Of course retrospective analysis is a necessity for detecting most types of fraud but prevention in real-time must not be overlooked. Fighting a rear-guard action, with limited staff, MNOs Home Network struggle to detect new forms of fraud before the amounts lost have become truly significant. When the fraud is perpetrated across networks and national boundaries detection takes longer and the losses are multiplied by wholesale, interconnect and roaming charges. Well understood, automated detection procedures can be allocated to staff outside the local fraud department, for example to a group-wide team or even to managed service providers which can provide further cost savings. Because International Revenue Share is one of the top targets for fraudsters and roaming scenarios are particularly vulnerable, any delays in the receipt and processing of EDRs for roamers provides opportunity for fraud to progress for longer before it can be detected. Not Just for High Rollers MSC HLR FMS SMSC BSS OCS NRTDE Vendor CDR s CAMEL MSC/VLR BSS SMSC HLR Roaming Network Roaming Out Subscriber Near Real Time Roaming Fraud Detection

8 Most fraudsters and consequently fraud departments, focus on high-margin services where it is easiest to quickly run up large bills with relatively little traffic. However, more and more fraudsters are happy to keep under the radar by generating massive amounts of traffic over channels and services (such as SMS) for which the retail charges are very low. Constant Trickle or Sudden Flood? Another tactic used by fraudsters is that of the trickle attack. Instead of inflating the revenues of their service or interconnect with a dramatic flood of traffic over a single weekend, the fraudsters may inflate the traffic gradually or quite modestly. Although riskier than the smash-and-grab flood attack, trickled inflation is less likely to be detected in the short term and when allowed to run over a long period can provide a steady income for the fraudster. Analysis of historic data is the ideal way to detect such fraud, provided the fraud management system can be configured to consider sufficiently long reporting intervals. Fraud Detection in Real time Although many types of fraud can only be detected through retrospective EDR analysis, operators need to build in as many mechanisms as possible to prevent or detect fraud in real time. Such systems enrich the feed of EDR information sent to the revenue assurance and fraud departments. SMS Fraud Detection in Real Time Because of the submission, delivery and detection mechanisms in place for SMS, it lends itself well to detection of fraud while the service is in flight. Even while roaming, a subscriber s MO SMS are routed through their home-network SMSC and standardised fraud-detection techniques ensure that can nodes in the home network can still be included in the delivery MT SMS to out roamers. SMS Fraud and Spam detection solutions, such as Jinny s SmartGuard for SMS work in real time and can form an early-warning system for roaming fraud and for low-margin/high-volume scams. The EDRs provided by SMS fraud detection systems can make the FMS aware of SIMs that have fallen into the hands of fraudsters. Voice Call Fraud Detection in Real Time This is a much trickier prospect for operators but again arming systems with knowledge of known fraudulent practices helps. Bringing it all back Home (Unlike ANSI) The delivery mechanism for MT SMS defined in GSM networks allows for foreign SMSCs to deliver SMS directly to the visited MSC of subscriber of another network. If the subscriber is roaming out, this means that, apart from the HLR that provides routing information, no system of the home network is involved in the delivery and so has no visibility or control. GSM networks can, however, deploy mechanisms to handle routing requests from the SMSCs of other networks in order to intercept their MT SMS and regain oversight and control over the delivery. This practice known as Home Network Routing is recommended by the GSMA as an essential element of SMS fraud detection. in fraud is a given and one of the constant tasks of the fraud departments is keeping such lists up-to-date. Using the CAMEL protocol for real-time charging of service usage by prepaid subscribers enables the operator to maintain control and overview when they are roaming abroad. However, many operators have established billing processes for postpaid subscribers, which make such accounts even more attractive to IRSF fraudsters. Inserting additional nodes into call setup with the intelligence to detect unusual calling patterns is another way of protecting the network from voice call fraud that exploits vulnerabilities in legacy nodes such as the voic system. Indeed inserting a solution such as Jinny s SmartGuard for Voice Calls [ intelligent Voice Call Router ] can increase the security of several systems while avoiding costly upgrades or swap outs. It can also ensure that the same level of security and same format of EDRs applies to services based on various OEM platforms. Rather than filtering calls based simply on static rules, the detection systems needs to have the ability to identify new calling patterns in real time and identify new number ranges that may be suspicious. Jinny s SmartGuard for Voice Calls can monitor traffic to and from the voic and missed call notification systems to detect unusual patterns. These can frequently be an indication of Wangiri fraud. Blacklisting number ranges that are known to be used

9 Circle the Wagons Of course there is strength in numbers and the best way to combat the global challenge is collaboration between operators. The networks that tend to be the best at detecting and preventing fraud are those active in organizations that share alerts, detection methodologies and hot number ranges when new types of fraud are discovered. Organisations like the GSMA and their Fraud Forum are championing the sharing of this information. Sharing lists of hot number ranges and new fraud mechanisms detected helps curtail the spread of fraud and shares the load of deriving new solutions. The operators fraud departments need to constantly be aware of new and recurring trends within the industry. They also need the best tools and experienced partners to help them to monitor and protect their network against the continuous threats poised by fraudsters.

10 SmartGuard Solutions for SMS,MMS & Voice Jinny Software recognize that abuse and fraud is a major issue for mobile operators. Based on our industry expereince we know that one operators requirements are never the same as another. We have therefore developed SmartGuard, a flexible solution for security and protection across mobile messaging and calling services. SmartGuard contains a range of modules to monitor, filter, block and flag malicious traffic on the network. SmartGuard supports all standard automated detection procedures for messaging fraud prevention and detection. Additionally it includes the ability to proactively identify traffic patterns indicative of fraud or abus. Once identified this traffic can be automatically blocked temporarily or permanently. The solution can include an intelligent engine that learns and identifies the characteristics of Fraudulent or Spam messages. This facilitates the detection and blocking of new threats from the moment the system is installed. SmartGuard incorporates a range of tools to analyze and process voice traffic and call based services like Voic , adding a further layer of security and protection to the network For more information on how SmartGuard can protect your network and subscribers please contact Jinny Software.

11 Written by John Hurley, Chief Product Manager, Jinny Software Jinny Software 29 North Anne Street, Dublin 7, Ireland For more information on our services please or reach out to us through our LinkedIn and Twitter channels: Website: LinkedIn: Twitter: YouTube: About Jinny Software Jinny Software offers a comprehensive range of messaging, rich communications, signalling management and VAS Consolidation solutions aswell as Anti-Spam, Filtering and Network Security solutions. Jinny s 80+ customers are spread across 70 countries and include mobile network operators, virtual network operators and enablers, as well as other enterprises. Jinny Software operates from its headquarters in Dublin, Ireland. Implementation, project management, support and training are provided by service teams located in the US, Brazil, Ireland, Kenya, UAE and Malaysia. Jinny Software is a wholly owned subsidiary of the Acotel Group S.p.A, headquartered in Rome, Italy and traded on the Milan stock market (ACO.MI). Document Conditions Copyright Jinny Software Ltd. All rights reserved. No part of this publication, or any software included with it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including photocopying, electronic, mechanical, recording, or otherwise, without the prior written permission of the copyright holder. Trademarks & Registered Trademarks Products and product names mentioned in this document may be trademarks or registered trademarks of their respective owners. (J), Jinny are trademarks of Jinny Software Ltd. Jinny Software Ltd. is a wholly-owned subsidiary of the Acotel Group SpA